DietPi icon indicating copy to clipboard operation
DietPi copied to clipboard
verified publisher icon MichaIng

Have AUTO_SETUP_GLOBAL_PASSWORD accept salted and hashed passwords.

Open firstkevinds opened this issue 1 month ago • 2 comments

Creating a feature request

Is your feature request related to a problem? Please describe:

  • It would increase security to have the AUTO_SETUP_GLOBAL_PASSWORD option dietpi.txt accept passwords as salt and hash.

Describe the solution you'd like:

  • I would like AUTO_SETUP_GLOBAL_PASSWORD in dietpi.txt to have the option of plain-text or salt+hash

Describe alternatives you've considered:

  • The alternative is to just save in plain-text which is less secure. DietPi already reads and removes the plaintext password on first boot, so it is already understood that having the default password in plain text in the file system is poor practice.

Additional context

  • Perhaps a new option in dietpi.txt as AUTO_SETUP_GLOBAL_PASSWORD_SECURE with accepted values 0/1, False/True, N/Y, No/Yes, with the default if omitted as the negative as to not break compatibility with old versions of dietpi.txt missing the 'new' option.

firstkevinds avatar Nov 24 '25 05:11 firstkevinds

I don't really see where the security gain comes from. The password specified under AUTO_SETUP_GLOBAL_PASSWORD is written as a HASH directly during the first boot and before the first login. It is never stored as a plain text password in the system. Furthermore, the system automatically requires a password change during the first boot if the default password is used.

Joulinar avatar Nov 25 '25 07:11 Joulinar

I agree there would be a little security benefit, since the plain text password would never be readable anywhere. It is otherwise world-readable on a FAT partition until first boot setup imports it. Usually not an issue, but there may be less trusted environments where it is. Also when doing mass deployments reusing the same dietpi.txt, which hence needs to remain on the system which flashes the boot media.

But there is a practical blocker at the moment: The default software password needs to be available for dietpi-software in plain text, so it can apply it to installed software configurations with whichever hashing algorithm that supports. For this reason, it is also not really hashed on import, but encrypted, so it can be decrypted for software installs. Not 100% secure, since in an open source project of course one can find the passphrase, but still better than leaving it in plain text on the disk, or leaving freshly installed web interfaces and such with fixed initial passwords like "password" or "dietpi" or "minecraft" or so, and it is made readable by root only, of course.

This of course does not apply for the UNIX user passwords. If a supported passwd hash is provided, like yescrypt or the previous strongest SHA512-based one, it could be applied with the hash only. But for simplicity, there is only one AUTO_SETUP_GLOBAL_PASSWORD setting used for both, initial UNIX user password as well as initial default password for dietpi-software installs. Hence, it would need to be split. We could then auto-detect the hashing algorithm, if one is used, by the prefix, like $y$ for yescrypt and $6$ for SHA512 to not have 3 password settings. Would need to be documented which algorithm is supported in which form, so users do not use the sha512sum command, which does not work.

MichaIng avatar Nov 25 '25 19:11 MichaIng